There has been a lot of talk about whether President Obama should issue a cyber-security Executive Order since a Congressional filibuster last month killed the idea in bill form. And pressure is mounting on both sides of the debate. While the US Chamber of Commerce and other business groups are opposed to an executive order, just this week Sen. Jay Rockefeller of West Virginia, who is in favor of it, wrote to the CEOs of the 500 largest US companies to request their views on cybersecurity and the legislation aimed at protecting the nation’s critical infrastructure from computer attacks. ( As an aside, I ‘d be interested to know what sort of response the Senator gets from the letter and how much the companies will divulge.)
Whether Obama will ever issue an order, I don’t know. What I can comment on based on my experience in the security industry, and having worked with the US Dept. of Defense and other Government agencies on cyber threat issues, is that for a directive of any kind to have impact it should include these five things:
- A clear definition of which services or sectors are critical to national security interests. For example, these would include power, water, healthcare, air traffic, etc. So far, the biggest obstacle to getting a bill done has been private sector concerns about having to reveal their security protocols to a government agency. By clearly defining the industries that have a direct tie to national security and are subject to government oversight already could help quell fears of a “big brother” scenario.
- Specific reporting requirements for the sectors defined above. For example, the order would need to be able to collect information such as how frequently attempted and actual security breaches occur. There needs to be a well thought-out reporting structure for this.
- The designation of a security liaison within every organization who is responsible for reporting directly to the government. Whether this person is in risk management, IT or the legal department, defining this role and the responsibilities within it would make it clear that this is not everybody’s or nobody’s job. What would this job entail? While reporting data would be a significant part of it, the communication needs to go beyond the sharing of spread sheets and include regular dialogue between those running critical infrastructure and the government.
- A timeline of minimum security goals that must be met. Clearly, given the size and ever-changing nature of the cyber-threats we face, it would be impossible to batten down every hatch right away. But we do need an aggressive timeline to meet minimally acceptable standards.
- Penalties for noncompliance. Whether it’s fines or tax implications, or even having a license dependent on meeting certain cybersecurity goals, there needs to be a stick to go along with the carrot. In my view, the carrot is the federal government helping to prevent attacks and sharing information on threats in a more organized and effective way. Any sector should be grateful to have inside knowledge to help them operate more securely.
Of course, if you are relying on the Government to keep you safe, or organize your cybersecurity priorities you’re already behind the curve. Companies need to be more proactive in maintaining their own security health, compliance with any law or order, does not necessarily mean you are secure.
– Mark Hatton, President, CEO